fix: remove directory and platform-specific-errors args from multi platform (project-copacetic#1105)

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>

Author: sozercan

.github/workflows/build.yml

@@ -356,9 +356,9 @@ jobs:
           go test -v ./test/e2e/push --addr="docker://" --copa="$(pwd)/copa"
 
           
-  test-patch-multiarch:
+  test-patch-multiplatform:
     needs: build
-    name: Test patch with multiarch
+    name: Test patch with multiplatform
     runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions: read-all
@@ -404,9 +404,9 @@ jobs:
       - name: Install required tools
         shell: bash
         run: .github/workflows/scripts/download-tooling.sh
-      - name: Install multiarch tooling
+      - name: Install multiplatform tooling
         shell: bash
-        run: .github/workflows/scripts/download-multiarch-tooling.sh
+        run: .github/workflows/scripts/download-multiplatform-tooling.sh
       - name: Download copa from build artifacts
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:

…ws/scripts/download-multiarch-tooling.sh …cripts/download-multiplatform-tooling.sh.github/workflows/scripts/download-multiarch-tooling.sh renamed to .github/workflows/scripts/download-multiplatform-tooling.sh .github/workflows/scripts/download-multiarch-tooling.sh renamed to .github/workflows/scripts/download-multiplatform-tooling.sh

@@ -4,7 +4,7 @@
     "localImage": "localhost:5000/nginx",
     "tag": "1.27.0",
     "distro": "debian",
-    "description": "Multi-arch nginx 1.27.0, with push",
+    "description": "Multi-platform nginx 1.27.0, with push",
     "ignoreErrors": false,
     "push": true,
     "platforms": [
@@ -21,7 +21,7 @@
     "localImage": "localhost:5000/nginx",
     "tag": "1.27.0",
     "distro": "debian",
-    "description": "Multi-arch nginx 1.27.0, no push",
+    "description": "Multi-platform nginx 1.27.0, no push",
     "ignoreErrors": false,
     "push": false,
     "platforms": [

integration/multiarch/fixtures/test-images.json

@@ -85,7 +85,7 @@ func TestPatch(t *testing.T) {
 			patchedRef := fmt.Sprintf("%s:%s", img.LocalImage, tagPatched)
 
 			t.Log("patching image with multiple architectures")
-			patchMultiArch(t, ref, tagPatched, reportDir, img.IgnoreErrors, img.Push)
+			patchMultiPlatform(t, ref, tagPatched, reportDir, img.IgnoreErrors, img.Push)
 
 			t.Log("scanning patched image for each platform")
 			wg = sync.WaitGroup{}
@@ -158,7 +158,7 @@ func (w *addrWrapper) env() []string {
 	return []string{fmt.Sprintf("DOCKER_HOST=%s", a)}
 }
 
-func patchMultiArch(t *testing.T, ref, patchedTag, reportDir string, ignoreErrors, push bool) {
+func patchMultiPlatform(t *testing.T, ref, patchedTag, reportDir string, ignoreErrors, push bool) {
 	var addrFl string
 	if buildkitAddr != "" {
 		addrFl = "-a=" + buildkitAddr
@@ -168,13 +168,12 @@ func patchMultiArch(t *testing.T, ref, patchedTag, reportDir string, ignoreError
 		"patch",
 		"-i=" + ref,
 		"-t=" + patchedTag,
-		"--report-directory=" + reportDir,
+		"--report=" + reportDir,
 		"-s=" + scannerPlugin,
 		"--timeout=30m",
 		addrFl,
 		"--ignore-errors=" + strconv.FormatBool(ignoreErrors),
 		"--debug",
-		"--platform-specific-errors=fail",
 	}
 	if push {
 		args = append(args, "--push")

integration/multiarch/patch_test.go

@@ -205,7 +205,7 @@ func DiscoverPlatformsFromReference(manifestRef string) ([]types.PatchPlatform,
 		return platforms, nil
 	}
 
-	// return nil if not multi-arch, and handle as normal
+	// return nil if not multi-platform, and handle as normal
 	return nil, nil
 }
 
@@ -217,7 +217,7 @@ func DiscoverPlatforms(manifestRef, reportDir, scanner string) ([]types.PatchPla
 		return nil, err
 	}
 	if p == nil {
-		return nil, errors.New("image is not multi arch")
+		return nil, errors.New("image is not multi platform")
 	}
 	log.WithField("platforms", p).Debug("Discovered platforms from manifest")
 

pkg/buildkit/buildkit.go

@@ -16,20 +16,18 @@ import (
 )
 
 type patchArgs struct {
-	appImage               string
-	reportFile             string
-	reportDirectory        string
-	patchedTag             string
-	suffix                 string
-	workingFolder          string
-	timeout                time.Duration
-	scanner                string
-	ignoreError            bool
-	format                 string
-	output                 string
-	bkOpts                 buildkit.Opts
-	platformSpecificErrors string
-	push                   bool
+	appImage      string
+	reportFile    string
+	patchedTag    string
+	suffix        string
+	workingFolder string
+	timeout       time.Duration
+	scanner       string
+	ignoreError   bool
+	format        string
+	output        string
+	bkOpts        buildkit.Opts
+	push          bool
 }
 
 func NewPatchCmd() *cobra.Command {
@@ -49,8 +47,6 @@ func NewPatchCmd() *cobra.Command {
 				ua.timeout,
 				ua.appImage,
 				ua.reportFile,
-				ua.reportDirectory,
-				ua.platformSpecificErrors,
 				ua.patchedTag,
 				ua.suffix,
 				ua.workingFolder,
@@ -64,7 +60,7 @@ func NewPatchCmd() *cobra.Command {
 	}
 	flags := patchCmd.Flags()
 	flags.StringVarP(&ua.appImage, "image", "i", "", "Application image name and tag to patch")
-	flags.StringVarP(&ua.reportFile, "report", "r", "", "Vulnerability report file path")
+	flags.StringVarP(&ua.reportFile, "report", "r", "", "Vulnerability report file or directory path")
 	flags.StringVarP(&ua.patchedTag, "tag", "t", "", "Tag for the patched image")
 	flags.StringVarP(&ua.suffix, "tag-suffix", "", "patched", "Suffix for the patched image (if no explicit --tag provided)")
 	flags.StringVarP(&ua.workingFolder, "working-folder", "w", "", "Working folder, defaults to system temp folder")
@@ -74,11 +70,9 @@ func NewPatchCmd() *cobra.Command {
 	flags.StringVarP(&ua.bkOpts.KeyPath, "key", "", "", "Absolute path to buildkit client key")
 	flags.DurationVar(&ua.timeout, "timeout", 5*time.Minute, "Timeout for the operation, defaults to '5m'")
 	flags.StringVarP(&ua.scanner, "scanner", "s", "trivy", "Scanner used to generate the report, defaults to 'trivy'")
-	flags.BoolVar(&ua.ignoreError, "ignore-errors", false, "Ignore errors and continue patching")
+	flags.BoolVar(&ua.ignoreError, "ignore-errors", false, "Ignore errors and continue patching (for single-arch: continue with other packages; for multi-platform: continue with other platforms)")
 	flags.StringVarP(&ua.format, "format", "f", "openvex", "Output format, defaults to 'openvex'")
 	flags.StringVarP(&ua.output, "output", "o", "", "Output file path")
-	flags.StringVarP(&ua.reportDirectory, "report-directory", "d", "", "Directory with multi-arch report files")
-	flags.StringVarP(&ua.platformSpecificErrors, "platform-specific-errors", "", "skip", "Behavior for error in patching any of sub-images for multi-arch patching: 'skip', 'warn', or 'fail'")
 	flags.BoolVarP(&ua.push, "push", "p", false, "Push patched image to destination registry")
 
 	if err := patchCmd.MarkFlagRequired("image"); err != nil {

pkg/patch/cmd.go

@@ -64,10 +64,10 @@ func archTag(base, arch, variant string) string {
 	return fmt.Sprintf("%s-%s", base, arch)
 }
 
-// createMultiArchManifest assembles a multi-arch manifest list and pushes it
+// createMultiPlatformManifest assembles a multi-platform manifest list and pushes it
 // via Buildx's imagetools helper (equivalent to
 // `docker buildx imagetools create --tag … img@sha256:d1 img@sha256:d2 …`).
-func createMultiArchManifest(
+func createMultiPlatformManifest(
 	ctx context.Context,
 	imageName reference.NamedTagged,
 	items []types.PatchResult,
@@ -95,7 +95,7 @@ func createMultiArchManifest(
 
 	err = resolver.Push(ctx, imageName, desc, idxBytes)
 	if err != nil {
-		return fmt.Errorf("failed to push multi-arch manifest list: %w", err)
+		return fmt.Errorf("failed to push multi-platform manifest list: %w", err)
 	}
 
 	return nil
@@ -125,7 +125,7 @@ func normalizeConfigForPlatform(j []byte, p *types.PatchPlatform) ([]byte, error
 // Patch command applies package updates to an OCI image given a vulnerability report.
 func Patch(
 	ctx context.Context, timeout time.Duration,
-	image, reportFile, reportDirectory, platformSpecificErrors, patchedTag, suffix, workingFolder, scanner, format, output string,
+	image, reportPath, patchedTag, suffix, workingFolder, scanner, format, output string,
 	ignoreError, push bool,
 	bkOpts buildkit.Opts,
 ) error {
@@ -134,7 +134,7 @@ func Patch(
 
 	ch := make(chan error)
 	go func() {
-		ch <- patchWithContext(timeoutCtx, ch, image, reportFile, reportDirectory, platformSpecificErrors, patchedTag, suffix, workingFolder, scanner, format, output, ignoreError, push, bkOpts)
+		ch <- patchWithContext(timeoutCtx, ch, image, reportPath, patchedTag, suffix, workingFolder, scanner, format, output, ignoreError, push, bkOpts)
 	}()
 
 	select {
@@ -162,68 +162,54 @@ func removeIfNotDebug(workingFolder string) {
 func patchWithContext(
 	ctx context.Context,
 	ch chan error,
-	image, reportFile, reportDirectory, platformSpecificErrors, patchedTag, suffix, workingFolder, scanner, format, output string,
+	image, reportPath, patchedTag, suffix, workingFolder, scanner, format, output string,
 	ignoreError, push bool,
 	bkOpts buildkit.Opts,
 ) error {
-	if reportFile != "" && reportDirectory != "" {
-		return fmt.Errorf("both report file and directory provided, please provide only one")
-	}
-
-	// try report file
-	if reportFile != "" {
-		// check if reportFile exists
-		if _, err := os.Stat(reportFile); os.IsNotExist(err) {
-			return fmt.Errorf("report file %s does not exist", reportFile)
-		}
-		// check if reportFile is a file
-		f, err := os.Stat(reportFile)
-		if err != nil {
-			// handle common errors
-			if os.IsNotExist(err) {
-				return fmt.Errorf("report file %s does not exist", reportFile)
-			}
-			return fmt.Errorf("failed to stat report file %s: %w", reportFile, err)
-		}
-		if f.IsDir() {
-			return fmt.Errorf("report file %s is a directory, please provide a file", reportFile)
-		}
-		log.Debugf("Using report file: %s", reportFile)
+	// Handle empty report path - single-arch patching without report
+	if reportPath == "" {
 		platform := types.PatchPlatform{
 			Platform: platforms.Normalize(platforms.DefaultSpec()),
 		}
 		if platform.OS != LINUX {
 			platform.OS = LINUX
 		}
-		result, err := patchSingleArchImage(ctx, ch, image, reportFile, patchedTag, suffix, workingFolder, scanner, format, output, platform, ignoreError, push, bkOpts, false)
-		if err == nil && result != nil {
-			log.Infof("Patched image (%s): %s\n", platform.OS+"/"+platform.Architecture, result.PatchedRef.String())
-		}
-		return err
-	} else if reportDirectory == "" && reportFile == "" {
-		platform := types.PatchPlatform{
-			Platform: platforms.Normalize(platforms.DefaultSpec()),
-		}
-		if platform.OS != LINUX {
-			platform.OS = LINUX
-		}
-		result, err := patchSingleArchImage(ctx, ch, image, reportFile, patchedTag, suffix, workingFolder, scanner, format, output, platform, ignoreError, push, bkOpts, false)
+		result, err := patchSingleArchImage(ctx, ch, image, reportPath, patchedTag, suffix, workingFolder, scanner, format, output, platform, ignoreError, push, bkOpts, false)
 		if err == nil && result != nil && result.PatchedRef != nil {
 			log.Infof("Patched image (%s): %s\n", platform.OS+"/"+platform.Architecture, result.PatchedRef)
 		}
 		return err
 	}
 
-	// must be dealing with a multi-arch image, check the directory
-	f, err := os.Stat(reportDirectory)
-	if err != nil {
-		return err
+	// Check if reportPath exists
+	if _, err := os.Stat(reportPath); os.IsNotExist(err) {
+		return fmt.Errorf("report path %s does not exist", reportPath)
 	}
-	if !f.IsDir() {
-		return fmt.Errorf("provided report directory path %s is not a directory", reportDirectory)
+
+	// Get file info to determine if it's a file or directory
+	f, err := os.Stat(reportPath)
+	if err != nil {
+		return fmt.Errorf("failed to stat report path %s: %w", reportPath, err)
 	}
 
-	return patchMultiArchImage(ctx, ch, platformSpecificErrors, image, reportDirectory, patchedTag, suffix, workingFolder, scanner, format, output, ignoreError, push, bkOpts)
+	if f.IsDir() {
+		// Handle directory - multi-platform patching
+		log.Debugf("Using report directory: %s", reportPath)
+		return patchMultiPlatformImage(ctx, ch, image, reportPath, patchedTag, suffix, workingFolder, scanner, format, output, ignoreError, push, bkOpts)
+	}
+	// Handle file - single-arch patching
+	log.Debugf("Using report file: %s", reportPath)
+	platform := types.PatchPlatform{
+		Platform: platforms.Normalize(platforms.DefaultSpec()),
+	}
+	if platform.OS != LINUX {
+		platform.OS = LINUX
+	}
+	result, err := patchSingleArchImage(ctx, ch, image, reportPath, patchedTag, suffix, workingFolder, scanner, format, output, platform, ignoreError, push, bkOpts, false)
+	if err == nil && result != nil {
+		log.Infof("Patched image (%s): %s\n", platform.OS+"/"+platform.Architecture, result.PatchedRef.String())
+	}
+	return err
 }
 
 func patchSingleArchImage(
@@ -234,15 +220,15 @@ func patchSingleArchImage(
 	targetPlatform types.PatchPlatform,
 	ignoreError, push bool,
 	bkOpts buildkit.Opts,
-	multiArch bool,
+	multiPlatform bool,
 ) (*types.PatchResult, error) {
 	if reportFile == "" && output != "" {
 		log.Warn("No vulnerability report was provided, so no VEX output will be generated.")
 	}
 
 	// if the target platform is different from the host platform, we need to check if emulation is enabled
-	// only need to do this check if were patching a multi-arch image
-	if multiArch {
+	// only need to do this check if were patching a multi-platform image
+	if multiPlatform {
 		hostPlatform := platforms.Normalize(platforms.DefaultSpec())
 		if hostPlatform.OS != LINUX {
 			hostPlatform.OS = LINUX
@@ -273,7 +259,7 @@ func patchSingleArchImage(
 	if err != nil {
 		return nil, err
 	}
-	if multiArch {
+	if multiPlatform {
 		patchedTag = archTag(patchedTag, targetPlatform.Architecture, targetPlatform.Variant)
 	}
 	patchedImageName := fmt.Sprintf("%s:%s", imageName.Name(), patchedTag)
@@ -760,14 +746,14 @@ func getRepoNameWithDigest(patchedImageName, imageDigest string) string {
 	return nameWithDigest
 }
 
-func patchMultiArchImage(
+func patchMultiPlatformImage(
 	ctx context.Context,
 	ch chan error,
-	platformSpecificErrors, image, reportDir, patchedTag, suffix, workingFolder, scanner, format, output string,
+	image, reportDir, patchedTag, suffix, workingFolder, scanner, format, output string,
 	ignoreError, push bool,
 	bkOpts buildkit.Opts,
 ) error {
-	log.Debugf("Handling platform specific errors with %s", platformSpecificErrors)
+	log.Debugf("Handling platform specific errors with ignore-errors=%t", ignoreError)
 	platforms, err := buildkit.DiscoverPlatforms(image, reportDir, scanner)
 	if err != nil {
 		return err
@@ -783,15 +769,12 @@ func patchMultiArchImage(
 	patchResults := []types.PatchResult{}
 
 	handlePlatformErr := func(p types.PatchPlatform, err error) error {
-		switch platformSpecificErrors {
-		case "ignore":
-			return nil
-		case "skip":
+		if ignoreError {
 			log.Warnf("Ignoring error for platform %s: %v", p.OS+"/"+p.Architecture, err)
 			return nil
-		default:
-			return fmt.Errorf("platform %s failed: %w", p.OS+"/"+p.Architecture, err)
 		}
+		log.Warnf("Error for platform %s: %v", p.OS+"/"+p.Architecture, err)
+		return fmt.Errorf("platform %s failed: %w", p.OS+"/"+p.Architecture, err)
 	}
 
 	for _, p := range platforms {
@@ -840,7 +823,7 @@ func patchMultiArchImage(
 	}
 
 	if push {
-		err = createMultiArchManifest(ctx, patchedImageName, patchResults)
+		err = createMultiPlatformManifest(ctx, patchedImageName, patchResults)
 		if err != nil {
 			return fmt.Errorf("manifest list creation failed: %w", err)
 		}
@@ -852,7 +835,7 @@ func patchMultiArchImage(
 			for _, result := range patchResults {
 				log.Infof("  docker push %s", result.PatchedRef.String())
 			}
-			log.Infof("To create and push the multi-arch manifest, run:")
+			log.Infof("To create and push the multi-platform manifest, run:")
 			refs := make([]string, len(patchResults))
 			for i, result := range patchResults {
 				refs[i] = result.PatchedRef.String()
@@ -864,7 +847,7 @@ func patchMultiArchImage(
 		}
 	}
 
-	log.Infof("Multi-arch image patched with tag %s", patchedImageName.String())
+	log.Infof("Multi-platform image patched with tag %s", patchedImageName.String())
 
 	return nil
 }

pkg/patch/patch.go

@@ -512,7 +512,7 @@ func TestPatch_BuildReturnsNilResponse(t *testing.T) {
 	err := Patch(
 		context.Background(),
 		30*time.Second,
-		"alpine:3.19", "", "", "", "", "", "", "", "", "",
+		"alpine:3.19", "", "", "", "", "", "", "",
 		false, true,
 		buildkit.Opts{},
 	)